BlackHat 2019 Preview: the Emerging Encryption Solution Market
Want to meet CryptoMove at BlackHat? We’ll be at booth IC2305 in Innovation City in the Business Hall!
Information security and technology leaders across the country are preparing for the upcoming BlackHat conference next week in Las Vegas. Between the BlackHat, BSides and DEF CON events, they are certain to encounter speakers and vendors focused on new developments in data protection and encryption.
With an abundance of technologies and solutions to explore, it’s easy to get lost in the weeds when evaluating the market for secure data storage and key management. There are many misconceptions about encryption-related startups, and it’s not always clear, even to savvy IT professionals, what problems the different technologies are attempting to solve.
This post reviews the categories of data security solutions to clarify some of the confusion. Armed with this background, we hope that the plethora of information at BlackHat will be simpler to categorize and apply to any specific organization’s cybersecurity needs.
Stop by to visit us at booth IC2305, located in the BlackHat Innovation City. We’ll have plenty of swag (of course) and would be happy to demo how our SaaS platform offers a new paradigm for protecting keys and secrets.
Categories of Data Security Solutions
Traditional Encryption for Data at Rest
The history of traditional encryption for data at rest dates back nearly 50 years. The Data Encryption Standard (DES), based on work done by the “crypto group” at IBM in the early 1970s, was first published in the Federal Register in 1975 and formally issued in 1977. In 2001, it was replaced by the Advanced Encryption Standard (AES), a new standard necessitated by weaknesses in DES. DES had an encryption key length of 56 bits while AES enables keys of 128, 192, and 256 bits.
The strength of standard encryption is that it is well-established and well-understood, and the weakness of standard encryption is…that it is well-established and well-understood.
Standard encryption is designed to protect data at rest, and it can be effective. A challenge with traditional encryption, though, is that it necessarily involves a predictable and stationary attack surface. Attackers can study a system, and the more that they learn, the greater their ability to gain unauthorized access.
As a legacy technology, data protection solutions using standard encryption have generally lagged behind in meeting the needs of dynamic, multi-cloud DevOps environments.
Moving Target Defense (MTD)
Moving Target Defense is a paradigm-shifting approach to protecting data at rest. It fragments data and keeps it moving and shifting, and the result is an asymmetric advantage for defenders. Every moment that goes by, the attack surface changes, creating new challenges and barriers for attackers.
MTD is a game-changing technology because of how the protected data moves, not because of any “new crypto” algorithm.
CryptoMove launched in 2015 and holds multiple patents for this novel data protection approach. The CryptoMove back-end operates with AES-256 encryption as a default, but the technology can be customized to use various cryptographic algorithms. The constant movement and mutation of data generates entropy in the data store and is not dependent on any specific type of encryption. Moving target defense has been identified as a top priority by the Department of Defense, Department of Homeland Security, and many others.
CryptoMove also helps resolve a critical challenge facing DevOps — especially in multi-cloud environments — of effectively managing the proliferation of keys, tokens, authorizations, and other secrets. From accidental leaks in public repos like GitHub to malicious attacks on platforms like DockerHub, developers confront an environment with an ever-increasing number of both secrets to protect and threats to those secrets.
CryptoMove’s key vault provides a straightforward tool to allow development teams to effectively create, commit, manage, and share keys and secrets. Truly sensitive data can be stored in CryptoMove’s key vault, and API calls and throwaway tokens can be used in repos. In this way, CryptoMove streamlines DevOps processes while simultaneously making them more secure, a huge win for teams of any size.
Multiparty Computation (MPC)
In the mid 2010s, MPC garnered attention as a proposed new approach to protecting data at rest. MPC traces back to academic research first published in 1976 and refined in the early 1980s, and current commercial applications are based upon this foundational formula.
The key concept behind MPC is to split up data rather than store it intact, and compared to standard encryption, MPC offers one extra line of defense. Because secrets are not stored whole, attackers have to penetrate more than one part of the defenses to obtain sensitive data.
The weakness of MPC is that it still relies on stationary targets. Increasing only the number of targets does not radically alter the attack surface because, as with standard encryption, time serves the needs of attackers who can steadily accumulate knowledge of the system to plan an attack.
MPC is based on splitting up data. MTD splits up data *and* keeps it constantly moving and morphing. This difference explains why only MTD truly alters the attack surface.
While at first glance MPC may sound like MTD, MPC is far less dynamic and can’t offer the same level of protection. The essence of MTD — moving targets — nullifies the value of prior reconnaissance by attackers, and MPC cannot provide this paradigm-shifting functionality.
Intel Software Guard Extensions (SGX)
Intel SGX, first described in 2013 and launched in 2015 with the 6th generation Intel® Core™ Processor, creates private enclaves within the CPU to protect sensitive data. The enclaves are stored on secure hardware separate from the OS.
Though compelling conceptually, SGX has shown vulnerabilities, especially to various types of side-channel attacks. These attacks compromise security by gaining access to secondary information that can reveal cryptographic keys. Examples of side-channel attacks that have been deployed against SGX include cache attacks (including to steal Bitcoins), attacks on the directional branch predictor, and interface-based attacks.
Unfortunately, thwarting attacks to SGX requires considerable technical skill and development resources, posing a challenge for many organizations relying on this technology that try to keep up in a cat-and-mouse game with sophisticated attackers.
Another important consideration with SGX is that it was not built for data at rest. It is a solution focused on data in motion and data in use. CryptoMove, on the other hand, fortifies data at rest by eliminating stationary targets. At the same time, CryptoMove’s technology can have applications to data in motion and data in use through the creation of in-memory disks, which are virtual memory enclaves with moving data fragments that facilitate runtime security.
Homomorphic Encryption
Like MPC, the academic foundation for homomorphic encryption dates back to the 1970s. The idea was first laid out in 1976, but it would take decades before serious commercialization efforts would take hold.
The selling point of homomorphic encryption is its ability to secure data in use. It allows computations of encrypted data without having to decrypt it. In the era of big data, which frequently involves huge datasets involving private information, homomorphic encryption offers a way to assuage concerns about leaks when utilizing this data.
The biggest limitation for homomorphic encryption to date has been its effectiveness in practical applications. Computations tend to be slow and resource-intensive, often to an extent that renders them of questionable utility in real-world situations. Lingering questions remain as well about the vulnerability to attack and overall security of sensitive data protected by homomorphic encryption.
Often misunderstood is that CryptoMove’s MTD and homomorphic encryption are built to solve different data protection problems.
CryptoMove is first-and-foremost a solution to defend data at rest while homomorphic encryption is focused on data in use. For data at rest, homomorphic encryption offers no additional protection relative to standard encryption. As a result, while these technologies are both represented within the market for encryption-related startups, they diverge significantly in their emphasis and use cases.
Conclusion
As one of the year’s largest information security conferences, BlackHat can be a whirlwind. With so many technologies on display, sorting through the options for data security is no easy task. But even as many new players have entered the market, encryption-related solutions ultimately boil down to the technologies we’ve described: traditional encryption, MTD, MPC, SGX, and homomorphic encryption.
Each of these technologies attempts to solve specific problems and comes with its own set of strengths and weaknesses. Finding the optimal solution for any organization, then, requires candidly evaluating security needs and opting for the approach that best meets them.
CryptoMove is an MTD-based secure storage solution for data at rest. It doesn’t depend on any new cryptographic algorithm to stymie potential attackers; instead, patented game-changing technology keeps data fragmented and continually morphing to foil attackers and their information-gathering efforts.
Already in 2019, MTD has been picking up significant momentum. Interest and investment in MTD in both the defense and private sectors is pushing forward a paradigm shift away from static and stationary defenses.
We hope you’ll stop by our booth at BlackHat — IC2305 in the Innovation Hall — to find out more about whether our platform is a fit for your organization’s data security demands.
In addition to our booth at BlackHat, CryptoMove is a proud sponsor of the upcoming BSidesLV Conference and will be keeping a close eye on updates coming out of the DEF CON Hacking Conference.
While conferences provide a great way to become familiar with new technologies, it is not necessary to attend these events to learn about how MTD can meet your needs. CryptoMove is offering free access for individual developers to try out the CryptoMove Key Vault, which provides an intuitive front-end for managing keys and secrets that are protected on the back-end by MTD. The CryptoMove team is hard at work to continue expanding CryptoMove’s features for DevOps, including the recent integration with CircleCI and Jenkins, improvements to our UI, and other updates listed in our Changelog.
CryptoMove is proud to create tools that support information security professionals and developers in all types of organizations, ranging from startups to Fortune 100 companies to the U.S. military. As this summer’s conference season picks up speed, we look forward to working with a growling list of partners and customers to implement lasting and dynamic solutions for secure data storage.
Visit our conference event page for all the details on CryptoMove at BlackHat 2019!
